package com.telecom.hz.sample.config;

import java.util.Arrays;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;

import com.telecom.hz.sample.service.CustomUserDetailsService;

/**
 * @author 853976819@qq.com
 * @version v1.0
 * @date 2017年7月20日  上午9:32:19
 */
@EnableWebSecurity
public class WebSecurityConfig {
	
	@Autowired
	private CustomUserDetailsService userDetailsService;

	@Configuration
	@Order(1)                                                        
	public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
		protected void configure(HttpSecurity http) throws Exception {
			http
				.csrf().disable()
				.antMatcher("/api/**").authorizeRequests().anyRequest().hasRole("REMOTE").and()
				.httpBasic();
		}
	}

	@Configuration                                                   
	public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

		@Override
		protected void configure(HttpSecurity http) throws Exception {
			
			/*
			 * TODO: 在此处配置动态权限
			 */
			http
				.csrf().and()// csrf protection enable, enable by default
				.headers().referrerPolicy(ReferrerPolicy.SAME_ORIGIN)// same origin enable
					.and().and()
				.authorizeRequests()
					.antMatchers("/public/**").permitAll()
					.antMatchers("/", "/index").permitAll()
					.anyRequest().authenticated()
//					.anyRequest().permitAll()
					.and()
				.formLogin()
					.loginPage("/login").permitAll()
					.loginProcessingUrl("/login")
					.defaultSuccessUrl("/")
					.and()
				.logout()
					.logoutUrl("/logout").permitAll()
					.logoutSuccessUrl("/")
					.invalidateHttpSession(true);
		}
	}
	
	/**
	 * 认证管理
	 * @return
	 */
	@Bean("authenticationManager")
	public ProviderManager providerManager() {
		AuthenticationProvider[] providers = {daoAuthenticationProvider()};
		ProviderManager providerManager = new ProviderManager(Arrays.asList(providers));
		return providerManager;
	}
	
	@Bean
	public DaoAuthenticationProvider daoAuthenticationProvider() {
		DaoAuthenticationProvider daoProvider = new DaoAuthenticationProvider();
		daoProvider.setUserDetailsService(userDetailsService);
		daoProvider.setPasswordEncoder(bCryptPasswordEncoder());
		return daoProvider;
	}
	
	/**
	 * 密码加密方式
	 * @return 
	 */
	@Bean
	public BCryptPasswordEncoder bCryptPasswordEncoder() {
		return new BCryptPasswordEncoder();
	}
}
